Tuesday 21 October 2014

DefCamp D-CTF Challenge

On the 18th of October, Defcamp conference organized a hacking CTF challenge to the public called D-CTF. As we had participated in several CTF events, (from SANS, Symantec CRC and recently from NUS SoC) we decided to take up this challenge just for the fun of it and see how well we can do in a CTF organized by the Europeans.

The banner of the CTF challenge

The challenges. The Quest and the MISC challenges are the ones that need to think out of the box.

Try solving these non-technical challenges. :)

951 teams participated and though we didn't make it to the top 10, i am pleased to see a Singapore team 'Dystopian Narwhals' to be at the 30th spot.

A short bio of the 'Dystopian Narwhals'. I've seen this team participated/participating in many CTF events and they have been doing well in many competitions/challenges be it online or offline. 


This experience allowed me to gather a group of cyber security enthusiasts to form a team to join this challenge and thus Defcon SG is born.. We were happy to be in the 57th spot out of 951 teams that participated. :)


Thursday 16 October 2014

NUS SoC Hacking Challenge 7 - On Your Own!

Level 7 - Final Level of the Hacking Challenge!

Credits goes to my colleague Jan Teo YZ for completing this stage. 



The Starting point of Level 7 Stage




    Hmm, a picture, two buttons and an input field. A quick search on “Symbol ciphers” gave the above image.


Something similar to the first image.



Using the Freeman’s cipher, we can decipher the picture 



Upon deciphering the symbol against the characters, we get the above sentence "YOU HAVE ALMOST REACHED HEKA"

Trying the phrase “You have almost reached Heka” doesn’t give us access, let’s click on the “download” button and see what it gives us

Just a piece of text file with nothing on it (of course, its invisible)


Lots of white spaces and tabs… hmm. A quick search through google revealed the above.

Aha... Whitespace. Trying it out in SNOW, compiling as the Whitespace programming language gave no results.(A Segmentation Fault occurs when you try compiling it) After trying for a long while with no results, I had to resort to asking NUS for tips.


It finally hits me. Going back to the document, I replaced all spaces with zeros and tabs with ones and separated them in sets of 8 (a byte)


Pasting them into a binary to ASCII converter


We get the phrase “Well done! Orb secured.” Concatenate both phrases and we get “You have almost reached Heka Well done! Orb secured."

LEVEL 7 CONQUERED!!!!


Tuesday 14 October 2014

NUS SoC Hacking Challenge 6 - The Flash

Second Last Level for the NUS SoC Hacking Challenge!

So in level 6, we only have this flash image and no hints at all.


Thanks to my experience in performing on analyzing vulnerabilities of flash files, first thing i did was to download the .swf file from the site (Thank you Firefox for making this easy!). Once downloaded, i used the free HP SWFScan to decompile the flash file. And yeap, found a string that is really suspicious. 


So i placed the string of text into the form field BUT then, the submit button was not able to be clicked on. It looked like it was disabled. Using Firebug addon for Firefox (Again, thank you Firefox!), i search for the Submit button and look at the HTML code. Fair enough, it was 'disabled'.

 
So trying my luck, using Firebug, i edited the 'disabled' and turned it to 'enabled'. And sure enough, when i edited that, i was able to click Submit. And i was happy it went through!!


Next stop - Level 7!!!!

NUS SoC Hacking Challenge 5 - Break Me Down


Challenge 5 - Break Me Down


Again, a Username and Password console. Except that this did not use the same credentials like the previous challenges. 

From the page, there is an option to Upload a Txt file. This was my perhaps my clue. Problem here is, its hard to perform brute force of the site to search for hidden files or directories. Instead, i used a technique called Spidering or some may call it Web Crawling. For this level, i used Burpsuite to do my spidering. As expected, it managed to crawl through and found the hidden files and folders. (My colleague told me that he used a technique called 'Directory Traversal, which was by right the expected way of doing it..)


Next, i went straight to the first directory /uploadsAtria/


Then i went to /Atria


And finally the 'details.txt'. And yeap, JUICY!!! The password seemed to look like a form of hash. First thing that came up to my mind was PASSWORD/HASH CRACKING/DECRYPTING!!!


But in order for me to do that, i need to identify what type of hashing algorithm it was using. Thanks to this website, i pasted the hash and it gave me a list of possible algorithms.


Based on experience and with a collection of websites that do hash decryption or cracks, i load multiple sites and see which one will crack it for me. And yes! My collection of these online crackers did not fail me.

So with the Username from the 'details.txt' and the Password cracked from the website, crossed my fingers and click Login... Yeah Baby! Level 5 is down i repeat Level 5 is down!!!

Next stop - Level 6!


NUS SoC Hacking Challenge 4 - Locate Me


Challenge 4 - Locate Me

So all you have were these. 7 Images. And thats it.

Like previous levels, after viewing the source code and found nothing, its basically up to the images itself that were the clues. So i decided to save all the images onto my desktop.

But here's the interesting part. The names of these images seemed to skip a number.

And since the title of the challenge is called 'Locate me', i decided to search for the missing number. Of course, like the other extension of the images, it varies. So i decided to try one by one. First '6.jpg' but there's no such file in the server.

Next, i decided to search for '6.jpeg' and YES! found the hidden image.

As usual, saved the image on the desktop. Here's the thing, it wasn't easy. I initially suspect this file to be either a manipulation of colors or steganography. I spent over 3 hours trying to decrypt or decode the images using both downloaded and online tools. It was such a pain! 

Then i decided to perhaps RE-open it in a notepad instead. And there's the damn key! 

Here's the thing. I did this way before i analyze the file using steganography tools and color manipulation. So when a colleague of mine messaged me that he was at the other level. I was like "Dude! How!". And he told me to analyze it by opening the file using a notepad, i told him i did and it was all garbage. He told me "Look closer". So i took a look at it, slower and closer and there it was!!!! Right in front of my eyes! Lesson Learned: Always take a much closer look - and take your time. :)

My conversation with my colleague. Excuse my language. It was the heat of the moment. ;)


So copy the string and Submit! Sweet! Level 4 Down!!!!

Next Stop - Level 5

NUS SoC Hacking Challenge 3 - Manipulate Me

Challenge 3 - Manipulate Me.

Similar like Level 1, you are tasked to enter a valid Username and Password and see if you can get access to Level 4.

So that's precisely what i did, putting the valid Username and Password from Level 1 and click Login.

However, when i clicked Login, this was the page i was directed. Notice the URL that directed me to a page called 'Gem.php'. Yet i need to reach to a level called Narda.

So when i manipulate the Gem.php to Narda.php, another message came. 'Not yet There'. Hmmm.... so the idea was there but i couldn't reach there yet.

So after so many hours spent, trial and errors made, using Burpsuite, i had to observe the HTTP response and intercept it and analyze the whats going out and whats coming in. So when i noticed that 2 values in the GET response that seemed to be suspiciously involved in this, i again test my luck and manipulate the Narda = false to Narda = true and instead of challenges/3/Gem.php, i manipulated it to challenges/3/Narda.php and click Forward.

Once that manipulation was made, i noticed the next response that i intercepted was the GET response, and instead of getting me back to challenges/3/, it directed me to challenges/4/.... Hell YEAH!!! Level 3 - Conquered!

Next Stop - Level 4

I have to be honest, that i spent over 24 hours trying to figure out how to pass this level. I tried XSS, SQL injection and many other ways including running a scan to find anything that i missed. But when everything else fails, you know you just need to keep trying and i kept telling myself...its bloody Level 3! It shouldn't be that tough. And my determination paid off... and yes, now that you've seen how i did it, its not that hard right?